One year to go: the Digital Operational Resilience Act, aka Dora, comes fully into force on 17 January 2025. The regulation aims to ensure that financial institutions are prepared to get back up and running quickly after a digital incident. To achieve this, it seeks to harmonise processes while strengthening transparency, exchanges of information and the monitoring of third-party service providers (particularly those linked to the cloud).
frames Dora not as an obligatory piece of compliance, but as an opportunity to optimise operations. “You can really seize business opportunities around this,” says PWC Luxembourg deputy managing partner and technology and transformation leader in an interview.
Dora is not just a matter for the head of information systems.
Michael Horvath, partner and financial services regulatory advisor at the firm, stresses the importance of clearly defining responsibilities within financial institutions: “We have been working on this issue since the second quarter of last year. Initially, the big question in companies was: who is responsible for Dora? No one volunteered and all eyes were on the IT manager.”
However, the partners agree that Dora should not be siloed within IT. “This regulation is not just a matter for the head of information systems or the head of information security,” says Carré, noting that the regulation has numerous dimensions. “It’s much more than cyber security or information infrastructure. It’s a global question of operations and business strategy.”
Executive functions
What’s original about the PWC report is that it assigns specific responsibilities to each executive function, regardless of company type. “Dora involves the whole range of decision-makers in a company,” says Carré. “We have defined the role of each function, as it is essential to understand how each can contribute to building resilience in the face of increasing business complexity.”
For instance, according to the report, the CEO and chief operating officer (COO) should take a proactive role in strategic direction, ensuring that Dora’s vision is embedded in all operations. The chief information officer (CIO) should balance the complexity of IT operations with the need to ensure compliance and resilience. And the chief information security officer (CISO) should guide the implementation of Dora-compliant cybersecurity measures.
IT management: a crucial issue
Says Horvath, regulations like Dora offer opportunities to rethink how operations are done. “Provided we ask ourselves the right questions, such as: How have you organised your data? Are you using the right technologies? Are you working with the right subcontractors?”
Another crucial issue is overall IT management. Some players, particularly those with headquarters in the United States, face complex dilemmas. “We have a number of customers whose IT is in the United States. They now have to decide whether to create a specific IT hub for Europe or adjust their standards to meet the requirements of the American and European authorities,” says Carré.
Dora must be everyone’s business both within the institution and within the financial sector as a whole, he continues. “All financial institutions are affected, but the level of preparation varies. The banks, which have already adopted high standards, are at a more advanced level of maturity. However, other segments such as the fund industry and insurers--which were less exposed in the past--need to adapt to this new reality.”
To be Dora-compliant by January 2025, financial sector leaders need to act quickly: that’s the other message from PWC, which calls it a race against time. “We are still at the beginning of this journey,” says the deputy managing partner. “Even though full implementation is scheduled for 2025, many players are just beginning to focus seriously on this. It’s on the agenda for 2024.”
And the story won’t end in January 2025. Although Dora is specific to the financial sector, its influence goes beyond that: the principles of resilience and risk management that it promotes are becoming models for other sectors, observes Carré: “Energy, telecommunications and other areas already have similar regulations. Dora is thus becoming a kind of model for a number of forthcoming regulations, all focusing on the resilience of information technologies.”
This article in Paperjam. It has been translated and edited for Delano.